Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Security Risks
Document related concepts
Authentication wikipedia , lookup
Security-focused operating system wikipedia , lookup
Unix security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Computer security wikipedia , lookup
Mobile security wikipedia , lookup
Network tap wikipedia , lookup
Wireless security wikipedia , lookup
Distributed firewall wikipedia , lookup
Transcript
Network+ Guide to Networks 6th Edition Network Security Objectives • Identify security threats and vulnerabilities in LANs and WANs and design security policies that minimize risks • Explain security measures for network hardware and design, including firewalls, intrusion detection systems, and scanning tools • Understand methods of encryption, such as SSL and IPSec, that can secure data in storage and in transit Network+ Guide to Networks, 6th Edition 2 Objectives (cont’d.) • Describe how user authentication protocols, such as PKI, RADIUS, TACACS+, Kerberos, CHAP, MSCHAP, and EAP function • Use network operating system techniques to provide basic security • Understand wireless security protocols, such as WEP, WPA, and 802.11i Network+ Guide to Networks, 6th Edition 3 Security Assessment • Examine network’s security risks – Consider effects • Different organization types – Different network security risk levels • Posture assessment – – – – Thorough network examination Determine possible compromise points Performed in-house by IT staff Performed by third party Network+ Guide to Networks, 6th Edition 4 Security Risks • Hacker – Individual who gains unauthorized access to systems • Vulnerability – Weakness of a system, process, or architecture • Exploit – Means of taking advantage of a vulnerability • Zero-day exploit – Taking advantage of undiscovered software vulnerability – Most vulnerabilities are well known Network+ Guide to Networks, 6th Edition 5 Risks Associated with People • Half of all security breaches – Human errors, ignorance, omissions • Social engineering – Strategy to gain password – Phishing • Glean access, authentication information • Pose as someone needing information • Many risks associated with people exist • Easiest way to circumvent network security – Take advantage of human error Network+ Guide to Networks, 6th Edition 6 Risks Associated with Transmission and Hardware • Physical, Data Link, and Network layer security risks – Require more technical sophistication • Risks inherent in network hardware and design – Transmission interception • Man-in-the-middle attack – Eavesdropping • Networks connecting to Internet via leased public lines – Sniffing • Repeating devices broadcast traffic over entire segment Network+ Guide to Networks, 6th Edition 7 Risks Associated with Transmission and Hardware (cont’d.) • Risks inherent in network hardware and design (cont’d.) – Port access via port scanner • Unused switch, router, server ports not secured – Private address availability to outside • Routers not properly configured to mask internal subnets – Router attack • Routers not configured to drop suspicious packets Network+ Guide to Networks, 6th Edition 8 Risks Associated with Transmission and Hardware (cont’d.) • Risks inherent in network hardware and design (cont’d.) – Access servers not secured, monitored – Computers hosting sensitive data: • May coexist on same subnet as public computers – Insecure passwords • Easily guessable or default values Network+ Guide to Networks, 6th Edition 9 Risks Associated with Protocols and Software • Includes Transport, Session, Presentation, and Application layers • Networking protocols and software risks – – – – – TCP/IP security flaws Invalid trust relationships NOS back doors, security flaws Buffer overflow NOS allows server operators to exit to command prompt – Administrators default security options – Intercepting transactions between applications Network+ Guide to Networks, 6th Edition 10 Risks Associated with Internet Access • Network security compromise – More often “from the inside” • Outside threats still very real – Web browsers permit scripts to access systems – Users provide information to sites Network+ Guide to Networks, 6th Edition 11 Risks Associated with Internet Access (cont’d.) • Common Internet-related security issues – Improperly configured firewall • Outsiders obtain internal IP addresses: IP spoofing – Telnets or FTPs • Transmit user ID and password in plain text – Newsgroups, mailing lists, forms • Provide hackers user information – Chat session flashing – Denial-of-service attack • Smurf attack: hacker issues flood of broadcast ping messages Network+ Guide to Networks, 6th Edition 12 An Effective Security Policy • Minimize break-in risk – Communicate with and manage users – Use thoroughly planned security policy • Security policy – Identifies security goals, risks, authority levels, designated security coordinator, and team members – Responsibilities of each employee – How to address security breaches • Not included in policy: – Hardware, software, architecture, and protocols – Configuration details Network+ Guide to Networks, 6th Edition 13 Security Policy Goals • Typical goals – Ensure authorized users have appropriate resource access – Prevent unauthorized user access – Protect unauthorized sensitive data access • Inside and outside – Prevent accidental hardware and software damage – Prevent intentional hardware or software damage – Create secure environment • Withstand, respond to, and recover from threat – Communicate employees’ responsibilities Network+ Guide to Networks, 6th Edition 14 Security Policy Goals (cont’d.) • Strategy – Form committee • Involve as many decision makers as possible • Assign security coordinator to drive policy creation – Understand risks • Conduct posture assessment • Rate severity and likelihood of each threat – Assign person responsible for addressing threats Network+ Guide to Networks, 6th Edition 15 Security Policy Content • Outline policy content – Define policy subheadings • Explain to users: – What they can and cannot do – How measures protect network’s security • User communication – Security newsletter – User security policy section • Define what confidential means to the organization Network+ Guide to Networks, 6th Edition 16 Response Policy • Security breach occurrence – Provide planned response • Identify response team members – Understand security policy, risks, and measures in place – Accept role with certain responsibilities – Regularly rehearse defense • Threat drill Network+ Guide to Networks, 6th Edition 17 Response Policy (cont’d.) • Suggested team roles – Dispatcher • Person on call; first to notice; alerted to problem – Manager • Coordinates resources – Technical support specialist • One focus: solve problem quickly – Public relations specialist • Official spokesperson to public • After problem resolution – Review process Network+ Guide to Networks, 6th Edition 18 Physical Security • Restrict physical access to network components – Lock computer rooms, telco rooms, wiring closets, and equipment cabinets • Locks can be physical or electronic – Electronic access badges – Locks requiring entrants to punch numeric code – Bio-recognition access Network+ Guide to Networks, 6th Edition 19 Figure 11-1 Badge access security system Courtesy Course Technology/Cengage Learning Network+ Guide to Networks, 6th Edition 20 Physical Security (cont’d.) • Physical barriers – Gates, fences, walls, and landscaping • Closed-circuit TV systems monitor secured rooms • Surveillance cameras – Data centers, telco rooms, data storage areas, facility entrances – Central security office capabilities • Display several camera views at once • Switch from camera to camera – Video footage used in investigation and prosecution Network+ Guide to Networks, 6th Edition 21 Physical Security (cont’d.) • Security audit – Ask questions related to physical security checks • Consider losses from salvaged and discarded computers – Hard disk information stolen – Solutions • Run specialized disk sanitizer program • Remove disk and use magnetic hard disk eraser • Pulverize or melt disk Network+ Guide to Networks, 6th Edition 22 Security in Network Design • Breaches may occur due to poor LAN or WAN design – Address though intelligent network design • Preventing external LAN security breaches – Restrict access at every point where LAN connects to rest of the world Network+ Guide to Networks, 6th Edition 23 Router Access Lists • Control traffic through routers • Router’s main functions – Examine packets – Determine destination • Based on Network layer addressing information • ACL (access control list) – Also called access list – Routers can decline to forward certain packets Network+ Guide to Networks, 6th Edition 24 Router Access Lists (cont’d.) • ACL variables used to permit or deny traffic – – – – – – – Network layer protocol (IP, ICMP) Transport layer protocol (TCP, UDP) Source IP address Source netmask Destination IP address Destination netmask TCP or UDP port number Network+ Guide to Networks, 6th Edition 25 Router Access Lists (cont’d.) • Router receives packet, examines packet – Refers to ACL for permit, deny criteria – Drops packet if deny characteristics match – Forwards packet if permit characteristics match • Access list statement examples – Deny all traffic from source address with netmask 255.255.255.255 – Deny all traffic destined for TCP port 23 • Separate ACL’s for: – Interfaces; inbound and outbound traffic Network+ Guide to Networks, 6th Edition 26 Intrusion Detection and Prevention • Proactive security measure – Detecting suspicious network activity • IDS (intrusion detection system) – Software monitoring traffic • On dedicated IDS device • On another device performing other functions • Port mirroring – One port makes copy of traffic to second port for monitoring Network+ Guide to Networks, 6th Edition 27 Intrusion Detection and Prevention (cont’d.) • IDS software detects many suspicious traffic patterns – Examples: denial-of-service, smurf attacks • DMZ (demilitarized zone) – Network’s protective perimeter – IDS sensors installed at network edges • IDS at DMZ drawback – Number of false positives logged • IDS can only detect and log suspicious activity Network+ Guide to Networks, 6th Edition 28 Intrusion Detection and Prevention (cont’d.) • IPS (intrusion-prevention system) – Reacts to suspicious activity when alerted – Detects threat and prevents traffic from flowing to network • Based on originating IP address • NIPS (network-based intrusion prevention) – Protects entire networks • HIPS (host-based intrusion prevention) – Protects certain hosts Network+ Guide to Networks, 6th Edition 29 Figure 11-2 Placement of an IDS/IPS on a network Courtesy Course Technology/Cengage Learning Network+ Guide to Networks, 6th Edition 30 Firewalls • Specialized device or computer installed with specialized software – Selectively filters and blocks traffic between networks – Involves hardware and software combination • Firewall location – Between two interconnected private networks – Between private network and public network (network-based firewall) Network+ Guide to Networks, 6th Edition 31 Figure 11-3 Placement of a firewall between a private network and the Internet Courtesy Course Technology/Cengage Learning Network+ Guide to Networks, 6th Edition 32 Figure 11-4 Firewall Courtesy of NETGEAR Network+ Guide to Networks, 6th Edition 33 Firewalls (cont’d.) • Packet-filtering firewall – Simplest firewall – Examines header of every entering packet – Can block traffic entering or exiting a LAN • Firewall default configuration – Blocks most common security threats – Preconfigured to accept and deny certain traffic types – Network administrators often customize settings Network+ Guide to Networks, 6th Edition 34 Firewalls (cont’d.) • Common packet-filtering firewall criteria – – – – – Source, destination IP addresses Source, destination ports Flags set in the IP header Transmissions using UDP or ICMP protocols Packet’s status as first packet in new data stream, subsequent packet – Packet’s status as inbound to, outbound from private network Network+ Guide to Networks, 6th Edition 35 Firewalls (cont’d.) • Port blocking – Prevents connection to and transmission completion through ports • Optional firewall functions – – – – – Encryption User authentication Central management Easy rule establishment Filtering based on data contained in packets Network+ Guide to Networks, 6th Edition 36 Firewalls (cont’d.) • Optional firewall functions (cont’d.) – Logging, auditing capabilities – Protect internal LAN’s address identity – Monitor data stream from end to end (stateful firewall) • Tailoring a firewall – Consider type of traffic to filter – Consider exceptions to rules • Packet-filtering firewalls – Cannot distinguish user trying to breach firewall from authorized user Network+ Guide to Networks, 6th Edition 37 Proxy Servers • Proxy service – Network host software application • Intermediary between external and internal networks • Screens all incoming and outgoing traffic • Proxy server – Network host running proxy service – Also called application layer gateway, application gateway, proxy – Manages security at Application layer Network+ Guide to Networks, 6th Edition 38 Proxy Servers (cont’d.) • Fundamental function – Prevent outside world from discovering internal network addresses • Improves performance for external users – File caching Network+ Guide to Networks, 6th Edition 39 Figure 11-5 A proxy server used on a WAN Courtesy Course Technology/Cengage Learning Network+ Guide to Networks, 6th Edition 40 Scanning Tools • Used during posture assessment – Duplicate hacker methods • NMAP (Network Mapper) – Designed to scan large networks – Provides information about network and hosts – Free to download • Nessus – Performs more sophisticated scans than NMAP Network+ Guide to Networks, 6th Edition 41 Lures • Honeypot – Decoy system that is purposefully vulnerable – Designed to fool hackers and gain information about their behavior • Honeynet – Network of honeypots Network+ Guide to Networks, 6th Edition 42 NOS (Network Operating System) Security • Restrict user authorization – Access to server files and directories – Public rights • Conferred to all users • Very limited – Group users according to security levels • Assign additional rights Network+ Guide to Networks, 6th Edition 43 Logon Restrictions • Additional restrictions to strengthen security – – – – Time of day Total time logged on Source address Unsuccessful logon attempts Network+ Guide to Networks, 6th Edition 44 Passwords • Choosing secure password – Guards against unauthorized access – Easy, inexpensive • Communicate password guidelines – Use security policy – Stress importance of company’s financial, personnel data security Network+ Guide to Networks, 6th Edition 45 Passwords (cont’d.) • Tips – Change system default passwords – Do not use familiar information or dictionary words • Dictionary attack – Use long passwords • Letters, numbers, special characters – – – – Do not write down or share Change frequently Do not reuse Use different passwords for different applications Network+ Guide to Networks, 6th Edition 46 Encryption • Use of algorithm to scramble data – Format read by algorithm reversal (decryption) • Designed to keep information private • Many encryption forms exist • Provides assurances – Data not modified between being sent and received – Data can be viewed only by intended recipient – Data was not forged by an intruder Network+ Guide to Networks, 6th Edition 47 Key Encryption • Key – Random string of characters – Woven into original data’s bits – Generates unique data block • Ciphertext – Scrambled data block • Brute force attack – Attempt to discover key – Trying numerous possible character combinations Network+ Guide to Networks, 6th Edition 48 Figure 11-6 Key encryption and decryption Courtesy Course Technology/Cengage Learning Network+ Guide to Networks, 6th Edition 49 Key Encryption (cont’d.) • Private key encryption – Data encrypted using single key • Known only by sender and receiver – Symmetric encryption • Same key used during both encryption and decryption • DES (Data Encryption Standard) – Most popular private key encryption – IBM developed (1970s) – 56-bit key: secure at the time • Triple DES – Weaves 56-bit key three times Network+ Guide to Networks, 6th Edition 50 Figure 11-7 Private key encryption Courtesy Course Technology/Cengage Learning Network+ Guide to Networks, 6th Edition 51 Key Encryption (cont’d.) • AES (Advanced Encryption Standard) – Weaves 128, 160, 192, 256 bit keys through data multiple times – Popular form uses Rijndael algorithm • More secure than DES • Much faster than Triple DES – Replaced DES in high security level situations • Private key encryption drawback – Sender must somehow share key with recipient Network+ Guide to Networks, 6th Edition 52 Key Encryption (cont’d.) • Public key encryption – Data encrypted using two keys – Private key: user knows – Public key: anyone may request • Public key server – Publicly accessible host – Freely provides users’ public keys • Key pair – Combination of public key and private key • Asymmetric encryption – Requires two different keys Network+ Guide to Networks, 6th Edition 53 Figure 11-8 Public key encryption Courtesy Course Technology/Cengage Learning Network+ Guide to Networks, 6th Edition 54 Key Encryption (cont’d.) • Diffie-Hellman (1975) – First public key algorithm • RSA – Most popular – Key creation • Choose two large prime numbers, multiplying together – May be used in conjunction with RC4 • Weaves key with data multiple times, as computer issues data stream Network+ Guide to Networks, 6th Edition 55 Key Encryption (cont’d.) • RC4 – Key up to 2048 bits long – Highly secure and fast • Digital certificate – Password-protected, encrypted file – Holds identification information – Includes public key Network+ Guide to Networks, 6th Edition 56 Key Encryption (cont’d.) • CA (certificate authority) – Issues, maintains digital certificates – Example: Verisign • PKI (public key infrastructure) – Use of certificate authorities to associate public keys with certain users Network+ Guide to Networks, 6th Edition 57 PGP (Pretty Good Privacy) • Secures e-mail transmissions • Developed by Phil Zimmerman (1990s) • Public key encryption system – Verifies e-mail sender authenticity – Encrypts e-mail data in transmission • Administered at MIT • Freely available – Open source and proprietary • Also used to encrypt storage device data Network+ Guide to Networks, 6th Edition 58 SSL (Secure Sockets Layer) • Encrypts TCP/IP transmissions – Web pages and Web form data between client and server – Uses public key encryption technology • Web pages using HTTPS – HTTP over Secure Sockets Layer, HTTP Secure – Data transferred from server to client (vice versa) using SSL encryption • HTTPS uses TCP port 443 Network+ Guide to Networks, 6th Edition 59 SSL (cont’d.) • SSL session – Association between client and server • Defined by agreement • Specific set of encryption techniques – Created by SSL handshake protocol • Handshake protocol – Allows client and server to authenticate • SSL – Netscape originally developed – IETF attempted to standardize • TLS (Transport Layer Security) protocol Network+ Guide to Networks, 6th Edition 60 SSH (Secure Shell) • Collection of protocols • Provides Telnet capabilities with security • Guards against security threats – – – – Unauthorized host access IP spoofing Interception of data in transit DNS spoofing • Encryption algorithm (depends on version) – DES, Triple DES, RSA, Kerberos, others Network+ Guide to Networks, 6th Edition 61 SSH (cont’d.) • Developed by SSH Communications Security – Version requires license fee • Open source versions available: OpenSSH • Secure connection requires SSH running on both machines • Requires public and private key generation • Configuration options – Use one of several encryption types – Require client password – Perform port forwarding Network+ Guide to Networks, 6th Edition 62 SCP (Secure CoPy) and SFTP (Secure File Transfer Protocol) • SCP (Secure CoPy) utility – Extension to OpenSSH – Allows copying of files from one host to another securely – Replaces insecure file copy protocols (FTP) – Included with UNIX, Linux, and Macintosh OS X operating systems • Windows operating systems – Some SSH programs include SCP utility – Separate freeware SCP application: WinSCP Network+ Guide to Networks, 6th Edition 63 IPSec (Internet Protocol Security) • Defines encryption, authentication, key management for TCP/IP transmissions • Enhancement to IPv4 • Native IPv6 standard • Difference from other methods – Encrypts data • Adds security information to all IP packet headers – Transforms data packets – Operates at Network layer (Layer 3) Network+ Guide to Networks, 6th Edition 64 IPSec (cont’d.) • Two phase authentication – Key management • Two nodes agree on common parameters for key use • IKE (Internet Key Exchange) – Encryption • AH (authentication header) • ESP (Encapsulating Security Payload) • Used with any TCP/IP transmission – Most commonly runs on routers, connectivity devices in VPN context Network+ Guide to Networks, 6th Edition 65 IPSec (cont’d.) • VPN concentrator – – – – – Specialized device Positioned at private network edge Establishes VPN connections Authenticates VPN clients Establish tunnels for VPN connections Network+ Guide to Networks, 6th Edition 66 Figure 11-9 Placement of a VPN concentrator on a WAN Courtesy Course Technology/Cengage Learning Network+ Guide to Networks, 6th Edition 67 Authentication Protocols • Authentication – Process of verifying user’s credentials • Grant user access to secured resources • Authentication protocols – Rules computers follow to accomplish authentication • Several authentication protocol types – Vary by encryption scheme: • And steps taken to verify credentials Network+ Guide to Networks, 6th Edition 68 RADIUS and TACACS+ • Centralized service – Often used to manage resource access • AAA (authentication, authorization, and accounting) – – – – Category of protocols that provide service Establish client’s identity Examine credentials and allow or deny access Track client’s system or network usage Network+ Guide to Networks, 6th Edition 69 RADIUS and TACACS+ (cont’d.) • RADIUS (Remote Authentication Dial-In User Service) – Defined by the IETF – Runs over UDP – Can operate as application on remote access server • Or on dedicated RADIUS server – Highly scalable – May be used to authenticate wireless connections – Can work in conjunction with other network servers Network+ Guide to Networks, 6th Edition 70 Figure 11-10 A RADIUS server on a network Courtesy Course Technology/Cengage Learning Network+ Guide to Networks, 6th Edition 71 RADIUS and TACACS+ (cont’d.) • TACACS+ (Terminal Access Controller Access Control System Plus) – Separate access, authentication, and auditing capabilities – Differences from RADIUS • Relies on TCP at the Network layer – Proprietary protocol developed by Cisco Systems, Inc. – Typically installed on a router Network+ Guide to Networks, 6th Edition 72 PAP (Password Authentication Protocol) • PPP does not secure connections – Requires authentication protocols • PAP authentication protocol – – – – Operates over PPP Uses two-step authentication process Simple Not secure • Sends client’s credentials in clear text Network+ Guide to Networks, 6th Edition 73 Figure 11-11 Two step authentication used in PAP Courtesy Course Technology/Cengage Learning Network+ Guide to Networks, 6th Edition 74 CHAP and MS-CHAP • CHAP (Challenge Handshake Authentication Protocol) – Operates over PPP – Encrypts user names, passwords – Uses three-way handshake • Three steps to complete authentication process • Benefit over PAP – Password never transmitted alone – Password never transmitted in clear text Network+ Guide to Networks, 6th Edition 75 CHAP and MS-CHAP (cont’d.) • MS-CHAP (Microsoft Challenge Authentication Protocol) – Used on Windows-based computers • CHAP, MS-CHAP vulnerability – Eavesdropping could capture character string encrypted with password, then decrypt Network+ Guide to Networks, 6th Edition 76 CHAP and MS-CHAP (cont’d.) • MS-CHAPv2 (Microsoft Challenge Authentication Protocol, version 2) – Uses stronger encryption – Does not use same encryption strings for transmission, reception – Requires mutual authentication • Both computers verify credentials of the other Network+ Guide to Networks, 6th Edition 77 Figure 11-12 Three-way handshake used in CHAP Courtesy Course Technology/Cengage Learning Network+ Guide to Networks, 6th Edition 78 EAP (Extensible Authentication Protocol) • Another authentication protocol – Operates over PPP • Works with other encryption and authentication schemes – Verifies client, server credentials • Requires authenticator to initiate authentication process – Ask connected computer to verify itself • EAP’s advantages: flexibility, adaptability Network+ Guide to Networks, 6th Edition 79 802.1x (EAPoL) • Codified by IEEE – Specifies use of one of many authentication methods plus EAP – Grant access to and dynamically generate and update authentication keys for transmissions to a particular port • Primarily used with wireless networks • Originally designed for wired LAN – EAPoL (EAP over LAN) • Only defines process for authentication • Commonly used with RADIUS authentication Network+ Guide to Networks, 6th Edition 80 Figure 11-13 802.1x authentication process Courtesy Course Technology/Cengage Learning Network+ Guide to Networks, 6th Edition 81 Kerberos • Cross-platform authentication protocol • Uses key encryption – Verifies client identity – Securely exchanges information after client logs on • Private key encryption service • Provides significant security advantages over simple NOS authentication Network+ Guide to Networks, 6th Edition 82 Kerberos (cont’d.) • Terms – – – – KDC (Key Distribution Center) AS (authentication service) Ticket Principal • Single sign-on – Single authentication to access multiple systems or resources • Two-factor authentication – Example: token and password Network+ Guide to Networks, 6th Edition 83 Wireless Network Security • Wireless transmissions – Susceptible to eavesdropping • War driving – Effective for obtaining private information • War chalking – Marking symbols to publicize access point SSID, secured status Network+ Guide to Networks, 6th Edition 84 WEP (Wired Equivalent Privacy) • 802.11 standard security – None by default – Access points • No client authentication required prior to communication – SSID: only item required • WEP – Uses keys – Authenticates network clients – Encrypts data in transit Network+ Guide to Networks, 6th Edition 85 WEP (cont’d.) • Network key – Character string required to associate with access point • WEP implementations – First: 64-bit keys – Current: 128-bit, 256-bit keys • WEP flaws Network+ Guide to Networks, 6th Edition 86 IEEE 802.11i and WPA (Wi-Fi Protected Access) • 802.11i uses 802.1x (EAPoL) – Authenticate devices – Dynamically assign every transmission its own key – Relies on TKIP • Encryption key generation, management scheme – Uses AES encryption • WPA (Wi-Fi Protected Access) – Subset of 802.11i – Same authentication as 802.11i – Uses RC4 encryption Network+ Guide to Networks, 6th Edition 87 Table 11-1 Notable encryption and authentication methods Courtesy Course Technology/Cengage Learning Network+ Guide to Networks, 6th Edition 88 Summary • Posture assessment used to evaluate security risks • Router’s access control list directs forwarding or dropping packets based on certain criteria • Intrusion detection and intrusion prevention systems used to monitor, alert, and respond to intrusions • Firewalls selectively filter or block traffic between networks • Various encryption algorithms exist • TKIP: a better wireless security solution than WEP Network+ Guide to Networks, 6th Edition 89
